Applocker — CraftedSignal Threat Feed

Detect PowerShell AppLocker Policy Import Activity

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

This threat brief outlines the detection of malicious PowerShell activity involving the import of AppLocker policies. Attackers may use AppLocker to enforce restrictive policies on compromised systems, which can lead to the disabling of security products like antivirus software, as observed with the Azorult malware. The activity is detected through PowerShell Script Block Logging, specifically EventCode 4104, which captures and analyzes script block text for the use of “Import-Module Applocker” and “Set-AppLockerPolicy” commands with an XML policy file. Detecting this activity early is crucial to prevent attackers from establishing persistence and further compromising the system by bypassing security controls.

Attack Chain

An attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.
The attacker executes a PowerShell script to import the AppLocker module using Import-Module Applocker.
The script then uses Set-AppLockerPolicy to apply a new AppLocker policy.
The -XMLPolicy parameter is used to specify an XML file containing the malicious AppLocker rules.
The new AppLocker policy restricts the execution of legitimate applications, including antivirus software.
The attacker establishes persistence by ensuring the malicious AppLocker policy is applied at system startup.
With security controls disabled, the attacker deploys and executes additional malware or performs lateral movement.
The final objective is data exfiltration or further system compromise.

Impact

A successful attack can lead to the complete bypass of endpoint security controls, leaving systems vulnerable to malware infections and data breaches. This can result in significant financial losses, reputational damage, and legal liabilities. If security software is disabled on a large number of endpoints, the impact is organization-wide.

Recommendation

Enable PowerShell Script Block Logging (EventCode 4104) on all endpoints to capture the necessary data for detection.
Deploy the Sigma rule Detect AppLocker Policy Import via PowerShell to your SIEM and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the ScriptBlockText and the source of the PowerShell execution.
Implement strict AppLocker policies to prevent unauthorized applications from running.
Monitor endpoints for unexpected changes to AppLocker policies.

Suspicious AppLocker XML Policy Import via PowerShell

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This brief focuses on detecting the suspicious use of PowerShell to import AppLocker XML policies. Attackers may leverage this technique to impair defenses by modifying AppLocker policies to allow malicious executables or scripts to run, bypassing existing security measures. The observed behavior involves the use of “Import-Module Applocker” and “Set-AppLockerPolicy” commands combined with the “-XMLPolicy” parameter. This activity has been linked to malware such as Azorult, where adversaries attempt to weaken endpoint security to facilitate further compromise. Defenders should prioritize monitoring for this behavior, as successful manipulation of AppLocker policies can lead to significant security breaches and persistent access for malicious actors.

Attack Chain

The attacker gains initial access to the system (details of initial access are not provided in the source).
The attacker executes PowerShell.exe.
The attacker imports the AppLocker module using Import-Module Applocker.
The attacker uses the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter to specify a path to a malicious AppLocker XML policy file.
The malicious AppLocker policy is applied, potentially whitelisting attacker-controlled files or paths.
The attacker executes previously blocked malicious code, leveraging the modified AppLocker policy.
The attacker achieves persistence and further compromises the system.

Impact

Successful execution of this attack allows adversaries to impair endpoint defenses by modifying AppLocker policies. This can lead to the execution of malware that would otherwise be blocked. The observed behavior has been linked to the Azorult malware family. The compromise of endpoint security can allow for persistence, data exfiltration, and further lateral movement within the network.

Recommendation

Deploy the Sigma rule Detect AppLocker Policy Import via PowerShell to your SIEM to detect suspicious AppLocker policy modifications.
Enable Sysmon Event ID 1 and Windows Event Log Security 4688 to provide the necessary process creation and command-line auditing for the Sigma rule.
Investigate any instances where Import-Module Applocker and Set-AppLockerPolicy are used together, especially when the -XMLPolicy parameter is present.
Review existing AppLocker policies for unexpected or unauthorized modifications.

AppLocker Registry Modification to Deny Security Software Execution

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers can leverage AppLocker to modify the Windows registry to deny the execution of security products, effectively impairing defenses. This technique involves manipulating registry keys and values associated with AppLocker policies to block specific antivirus and security software. This activity is often associated with malware such as Azorult, which attempts to disable or bypass security measures. By successfully blocking security software, attackers can facilitate further malicious activities, such as malware installation, data exfiltration, and persistence within the compromised environment. Defenders should monitor for unusual AppLocker registry modifications that target known security product vendors to identify potential attempts to disable defenses.

Attack Chain

Attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.
Attacker elevates privileges to gain administrative access, required to modify AppLocker policies.
Attacker modifies the registry keys associated with AppLocker policies, specifically targeting the Software Restriction Policies (SRP) to deny execution of security software.
The attacker modifies the registry_value_data within HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\ to include Action=“Deny” for targeted security vendors like Symantec, McAfee, or Kaspersky.
AppLocker policies are updated based on the modified registry settings.
The targeted security software is prevented from executing, effectively disabling or impairing its functionality.
Attacker proceeds to install malware, exfiltrate data, or establish persistence without interference from the disabled security software.
The attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation can lead to a significant degradation of the security posture of the affected system. By disabling or impairing security software, attackers can bypass critical defenses and gain unfettered access to sensitive data and systems. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The Azorult malware has been observed using this technique to disable security products.

Recommendation

Enable Sysmon Event ID 13 to monitor registry modifications and activate the provided Sigma rules (process_creation and registry_set).
Deploy the provided Sigma rules to detect AppLocker registry modifications targeting security software vendors and tune for your environment.
Investigate any alerts generated by the Sigma rules to identify potentially malicious activity, correlating with other endpoint telemetry.
Review and audit AppLocker policies to ensure they are configured correctly and not being used to block legitimate security software.